OCIE-C

SEC OCIE Cybersecurity Compliance

Cybersecurity readiness for SEC-registered investment advisers and broker-dealers, aligned with the SEC Division of Examinations' (formerly OCIE) cybersecurity focus areas.

Background

In April 2015, the SEC issued formal guidance to investment funds and advisers on protection of confidential and sensitive information. The Office of Compliance Inspections and Examinations (OCIE) — now the Division of Examinations — was tasked with assessing industry practices and the legal and compliance issues surrounding cybersecurity. Despite political swings on regulation generally, OCIE-style cybersecurity examinations have continued to rise.

The SEC's most recent risk alerts make the priority explicit: examiners will continue testing the implementation of cybersecurity procedures and controls — not just their existence on paper. Illumant's services help RIAs and broker-dealers build a robust, defensible cybersecurity program that maps directly to the issues OCIE keeps surfacing.

What OCIE keeps finding

Nearly all firms have written cybersecurity policies. The problem is what happens — or doesn't — after that. The OCIE's published observations consistently identify the same gaps:

Policies and procedures are narrowly scoped, vague, confusing, or not prescriptive enough to be actionable.
Firms do not enforce their stated policies — actual cybersecurity practices diverge from documentation.
Annual customer-protection reviews are required, but performed less frequently in practice.
Reviews of opportunities to add supplemental security protocols happen infrequently or not at all.
Policies and procedures are self-contradictory and confusing to employees.
Security awareness training is either non-existent or not tracked to completion.
Risk assessments are stale — out of date with current systems and threat landscape.
End-of-life operating systems no longer receiving security patches are still in use.
High-risk findings from prior penetration tests or vulnerability scans have not been remediated in a timely manner.

What's included — Illumant OCIE-C

Services are offered à la carte to fit your specific examination posture and remediation needs:

OCIE Gap / PPPA-OCIE

Gap analysis ensuring documented IT policies, procedures, and actual practices align with OCIE expectations and adjacent frameworks (HIPAA, SOC, PCI, NIST, ISO, GLBA, SOX, NYDFS 23 NYCRR 500).

Perimeter Security Assessment (PSA)

External vulnerability assessment and penetration testing — the 'hacker's perspective' that OCIE examiners look for evidence of.

BreachSmart Security Awareness Training

Short-form, weekly micro-training plus phishing simulations and tracking — directly addresses the OCIE finding that training is non-existent or untracked.

LANSA / CASA / WASA

Internal, critical-asset, and web application testing for client portals, trading platforms, and back-office systems.

Risk Assessment (RA) refresh

Top-down enterprise risk assessment with quantified impact — replaces the stale RA that OCIE consistently flags.

Vendor / third-party review

Vendor management evaluation, including outsourced trading, custody, and cloud providers.

State-level overlap

Illumant's OCIE-C also helps financial institutions meet individual state cybersecurity requirements — most notably New York's Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500). One engagement, multiple regulators satisfied.

Related security assessments

What we typically pair with an OCIE engagement.

PSA

Ready to start a conversation?

Talk to a senior consultant — we'll scope an engagement that fits your environment.

Get a Quote →